BUG/MINOR: mux_quic: do not release conn on qcc_recv() for QMux

Recently, an extra check has been added so that a dead connection is immediately release on at the end of qcc_recv() operation. This is useful when a GOAWAY frame is received from a server, so that the backend connection is released if idle. This step is in fact only necessary for QUIC, as qcc_recv() is called directly from the lower transport layer. It causes issues with QMux as in this case qcc_recv() is called via qcc_io_recv(). A crash in this context will occur as qcc_recv() does not indicate that a release has been performed. To fix this, simply disable the extra check at the end of qcc_recv() for QMux. This is fine as in this case receive operation is always followed by qcc_io_process() which is able to release the connection in a safe way. No need to backport.
2026-05-04 12:41:00 +02:00 · 2026-04-23 15:32:58 +02:00 · 2026-04-23 15:32:58 +02:00 · d7e3b826f2
commit d7e3b826f2
parent c08dcd3519
1 changed files with 6 additions and 2 deletions
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@ -2036,8 +2036,12 @@ int qcc_recv(struct qcc *qcc, uint64_t id, uint64_t len, uint64_t offset,
 		BUG_ON_HOT(fin_standalone); /* On fin_standalone <ret> should be NULL, which ensures no infinite loop. */
 	}

-	/* Ensure that an idle backend conn is freed if it cannot open new stream. */
-	if (conn_is_back(qcc->conn) && qcc_is_dead(qcc)) {
+	/* Ensure that an idle backend conn is freed if it cannot open new
+	 * stream. This is only performed for QUIC which directly calls
+	 * qcc_recv() and is not compatible with QMux. For the latter, dead
+	 * connection should still be detected after recv via qcc_io_process().
+	 */
+	if (conn_is_quic(qcc->conn) && conn_is_back(qcc->conn) && qcc_is_dead(qcc)) {
 		TRACE_STATE("releasing dead connection after STREAM decoding", QMUX_EV_QCC_RECV, qcc->conn);
 		qcc_release(qcc);
 		return 0;